introduction 1 2 v4.1 ruggedcom ros 3 4 5 6€¦ · ruggedcom ros v4.1 user guide for rp110 12/2014...

RUGGEDCOM ROSv4.1

User Guide

For RP110

12/2014

Preface

Introduction 1

Using ROS 2

Device Management 3

System Administration 4

Setup and Configuration 5

Troubleshooting 6

RC1106-EN-01

RUGGEDCOM ROSUser Guide

ii

Copyright © 2014 Siemens Canada Ltd.

All rights reserved. Dissemination or reproduction of this document, or evaluation and communication of its contents, is not authorizedexcept where expressly permitted. Violations are liable for damages. All rights reserved, particularly for the purposes of patent application ortrademark registration.

This document contains proprietary information, which is protected by copyright. All rights are reserved. No part of this document may bephotocopied, reproduced or translated to another language without the prior written consent of Siemens Canada Ltd..

Disclaimer Of LiabilitySiemens has verified the contents of this manual against the hardware and/or software described. However, deviations between the productand the documentation may exist.

Siemens shall not be liable for any errors or omissions contained herein or for consequential damages in connection with the furnishing,performance, or use of this material.

The information given in this document is reviewed regularly and any necessary corrections will be included in subsequent editions. Weappreciate any suggested improvements. We reserve the right to make technical improvements without notice.

Registered TrademarksROX™, Rugged Operating System On Linux™, CrossBow™ and ELAN™ are trademarks of Siemens Canada Ltd. . ROS® is a registeredtrademark of Siemens Canada Ltd..

Other designations in this manual might be trademarks whose use by third parties for their own purposes would infringe the rights of theowner.

Third Party CopyrightsSiemens recognizes the following third party copyrights:

• Copyright © 2004 GoAhead Software, Inc. All Rights Reserved.

Security InformationSiemens provides products and solutions with industrial security functions that support the secure operation of plants, machines, equipmentand/or networks. They are important components in a holistic industrial security concept. With this in mind, Siemens ’ products and solutionsundergo continuous development. Siemens recommends strongly that you regularly check for product updates.

For the secure operation of Siemens products and solutions, it is necessary to take suitable preventive action (e.g. cell protection concept)and integrate each component into a holistic, state-of-the-art industrial security concept. Third-party products that may be in use should alsobe considered. For more information about industrial security, visit http://www.siemens.com/industrialsecurity.

To stay informed about product updates as they occur, sign up for a product-specific newsletter. For more information, visit http://support.automation.siemens.com.

WarrantyRefer to the License Agreement for the applicable warranty terms and conditions, if any.

For warranty details, visit www.siemens.com/ruggedcom or contact a Siemens customer service representative.

Contacting SiemensAddressSiemens Canada Ltd.Industry Sector300 Applewood CrescentConcord, OntarioCanada, L4K 5C7

TelephoneToll-free: 1 888 264 0006Tel: +1 905 856 5288Fax: +1 905 856 1995

[email protected]

Webwww.siemens.com/ruggedcom

http://www.siemens.com/industrialsecurityhttp://support.automation.siemens.comhttp://support.automation.siemens.comhttp://www.siemens.com/ruggedcommailto:[email protected]://www.siemens.com/ruggedcom


Table of Contents

iii

Table of ContentsPreface ................................................................................................................ ix

Conventions ....................................................................................................................................... ixAlerts ......................................................................................................................................... ixCLI Command Syntax ................................................................................................................. x

Related Documents ............................................................................................................................. xSystem Requirements ......................................................................................................................... xAccessing Documentation ................................................................................................................... xiTraining .............................................................................................................................................. xiCustomer Support .............................................................................................................................. xi

Chapter 1

Introduction .......................................................................................................... 11.1 Overview ..................................................................................................................................... 11.2 Security Recommendations and Considerations ............................................................................. 2

1.2.1 Security Recommendations ................................................................................................ 21.2.2 Key Files .......................................................................................................................... 3

1.2.2.1 SSL Certificates ...................................................................................................... 41.2.2.2 SSH Key Pairs ....................................................................................................... 5

1.3 Available Services by Port ............................................................................................................ 61.4 SNMP Management Interface Base (MIB) Support ......................................................................... 9

1.4.1 Supported Standard MIBs .................................................................................................. 91.4.2 Supported Proprietary RUGGEDCOM MIBs ...................................................................... 101.4.3 Supported Agent Capabilities ........................................................................................... 10

1.5 SNMP Traps .............................................................................................................................. 111.6 ModBus Management Support .................................................................................................... 12

1.6.1 ModBus Function Codes .................................................................................................. 131.6.2 ModBus Memory Map ...................................................................................................... 141.6.3 ModBus Memory Formats ................................................................................................ 19

1.6.3.1 Text ...................................................................................................................... 191.6.3.2 Cmd ..................................................................................................................... 191.6.3.3 Uint16 .................................................................................................................. 201.6.3.4 Uint32 .................................................................................................................. 201.6.3.5 PortCmd ............................................................................................................... 201.6.3.6 Alarm ................................................................................................................... 211.6.3.7 PSStatusCmd ....................................................................................................... 21

Table of Contents


iv

1.6.3.8 TruthValues .......................................................................................................... 221.7 Certificate and Key Requirements ............................................................................................... 22

Chapter 2

Using ROS ......................................................................................................... 252.1 Connecting to ROS .................................................................................................................... 25

2.1.1 Connecting Directly .......................................................................................................... 252.1.2 Connecting via the Network ............................................................................................. 26

2.2 Logging In ................................................................................................................................. 272.3 Logging Out ............................................................................................................................... 282.4 Using the Web Interface ............................................................................................................. 282.5 Using the Console Interface ........................................................................................................ 302.6 Using the Command Line Interface ............................................................................................. 32

2.6.1 Available CLI Commands ................................................................................................. 322.6.2 Tracing Events ................................................................................................................ 352.6.3 Executing Commands Remotely via RSH .......................................................................... 362.6.4 Using SQL Commands .................................................................................................... 36

2.6.4.1 Finding the Correct Table ...................................................................................... 372.6.4.2 Retrieving Information ........................................................................................... 372.6.4.3 Changing Values in a Table ................................................................................... 392.6.4.4 Resetting a Table .................................................................................................. 392.6.4.5 Using RSH and SQL ............................................................................................. 39

2.7 Selecting Ports in ROS ............................................................................................................... 402.8 Managing the Flash File System ................................................................................................. 40

2.8.1 Viewing a List of Flash Files ............................................................................................ 402.8.2 Viewing Flash File Details ................................................................................................ 412.8.3 Defragmenting the Flash File System ............................................................................... 41

Chapter 3

Device Management .......................................................................................... 433.1 Viewing Product Information ....................................................................................................... 433.2 Viewing CPU Diagnostics ........................................................................................................... 453.3 Restoring Factory Defaults .......................................................................................................... 463.4 Configuring an IP Interface ......................................................................................................... 473.5 Uploading/Downloading Files ...................................................................................................... 47

3.5.1 Uploading/Downloading Files Using XMODEM .................................................................. 483.5.2 Uploading/Downloading Files Using a TFTP Client ............................................................ 493.5.3 Uploading/Downloading Files Using a TFTP Server ........................................................... 503.5.4 Uploading/Downloading Files Using an SFTP Server ......................................................... 50

3.6 Managing Logs .......................................................................................................................... 513.6.1 Viewing Local Logs ......................................................................................................... 51


Table of Contents

v

3.6.2 Clearing Local Logs ......................................................................................................... 523.6.3 Configuring the Local System Log .................................................................................... 523.6.4 Managing Remote Logging .............................................................................................. 53

3.6.4.1 Configuring the Remote Syslog Client .................................................................... 533.6.4.2 Viewing a List of Remote Syslog Servers ............................................................... 543.6.4.3 Adding a Remote Syslog Server ............................................................................ 543.6.4.4 Deleting a Remote Syslog Server .......................................................................... 56

3.7 Managing IP Gateways .............................................................................................................. 573.7.1 Viewing a List of IP Gateways .......................................................................................... 573.7.2 Adding an IP Gateway ..................................................................................................... 573.7.3 Deleting an IP Gateway ................................................................................................... 59

3.8 Configuring IP Services .............................................................................................................. 593.9 Upgrading/Downgrading Firmware ............................................................................................... 61

3.9.1 Upgrading Firmware ........................................................................................................ 613.9.2 Downgrading Firmware .................................................................................................... 61

3.10 Resetting the Device ................................................................................................................ 623.11 Decommissioning the Device ..................................................................................................... 63

Chapter 4

System Administration ....................................................................................... 654.1 Configuring the System Information ............................................................................................. 654.2 Customizing the Login Screen .................................................................................................... 664.3 Configuring Passwords ............................................................................................................... 664.4 Managing Alarms ....................................................................................................................... 69

4.4.1 Viewing a List of Pre-Configured Alarms ........................................................................... 694.4.2 Viewing and Clearing Latched Alarms ............................................................................... 704.4.3 Configuring an Alarm ....................................................................................................... 714.4.4 Authentication Related Security Alarms ............................................................................. 74

4.4.4.1 Security Alarms for Login Authentication ................................................................ 744.4.4.2 Security Messages for Port Authentication .............................................................. 76

4.5 Managing the Configuration File .................................................................................................. 774.5.1 Configuring Data Encryption ............................................................................................. 774.5.2 Updating the Configuration File ........................................................................................ 78

4.6 Managing an Authentication Server ............................................................................................. 794.6.1 Managing RADIUS Authentication .................................................................................... 79

4.6.1.1 Configuring the RADIUS Server ............................................................................. 804.6.1.2 Configuring the RADIUS Client .............................................................................. 80

4.6.2 Managing TACACS+ Authentication .................................................................................. 824.6.2.1 Configuring TACACS+ ........................................................................................... 824.6.2.2 Configuring User Priviliges .................................................................................... 83

Table of Contents


vi

Chapter 5

Setup and Configuration .................................................................................... 855.1 Configuring the DHCP Relay Agent ............................................................................................. 855.2 Managing Time Services ............................................................................................................ 86

5.2.1 Configuring the Time and Date ......................................................................................... 875.2.2 Configuring IRIG-B .......................................................................................................... 885.2.3 Configuring the Time Source ............................................................................................ 895.2.4 Configuring NTP .............................................................................................................. 905.2.5 Viewing the Status of Time Synchronization Subsystems ................................................... 91

5.3 Managing SNMP ........................................................................................................................ 935.3.1 Managing SNMP Users ................................................................................................... 93

5.3.1.1 Viewing a List of SNMP Users ............................................................................... 945.3.1.2 Adding an SNMP User .......................................................................................... 945.3.1.3 Deleting an SNMP User ........................................................................................ 97

5.3.2 Managing Security-to-Group Mapping ............................................................................... 985.3.2.1 Viewing a List of Security-to-Group Maps ............................................................... 985.3.2.2 Adding a Security-to-Group Map ............................................................................ 985.3.2.3 Deleting a Security-to-Group Map ........................................................................ 100

5.3.3 Managing SNMP Groups ............................................................................................... 1005.3.3.1 Viewing a List of SNMP Groups ........................................................................... 1015.3.3.2 Adding an SNMP Group ...................................................................................... 1015.3.3.3 Deleting an SNMP Group .................................................................................... 103

5.4 Managing Network Discovery .................................................................................................... 1035.5 Managing Serial Protocols ........................................................................................................ 104

5.5.1 Encapsulation Concepts ................................................................................................. 1065.5.1.1 Raw Socket Character Encapsulation ................................................................... 1075.5.1.2 RTU Polling ........................................................................................................ 1075.5.1.3 Broadcast RTU Polling ........................................................................................ 1085.5.1.4 Preemptive Raw Socket ...................................................................................... 1095.5.1.5 Port Redirectors .................................................................................................. 1105.5.1.6 Message Packetization ........................................................................................ 111

5.5.2 Modbus Concepts .......................................................................................................... 1115.5.2.1 Modbus Server Client Applications ....................................................................... 1115.5.2.2 Modbus TCP Performance Determinants .............................................................. 1125.5.2.3 Turnaround Delay ............................................................................................... 114

5.5.3 DNP, Microlok, TIN and WIN Concepts ........................................................................... 1145.5.3.1 DNP, Microlok, TIN and WIN Applications ............................................................. 1145.5.3.2 The Concept of Links .......................................................................................... 1155.5.3.3 Address Learning for TIN .................................................................................... 1155.5.3.4 Address Learning for DNP ................................................................................... 116


Table of Contents

vii

5.5.3.5 Broadcast Messages ........................................................................................... 1175.5.3.6 Transport Protocols ............................................................................................. 117

5.5.4 Force Half-Duplex (HD) Operation Mode ......................................................................... 1185.5.5 Configuring a Serial Port ................................................................................................ 1195.5.6 Configuring the Raw Socket Protocol .............................................................................. 1225.5.7 Configuring the Preemptive Raw Socket Protocol ............................................................ 1245.5.8 Configuring a TCP Modbus Server ................................................................................. 1265.5.9 Configuring a TCP Modbus Client ................................................................................... 1275.5.10 Configuring the WIN and TIN Protocols ......................................................................... 1285.5.11 Configuring the MicroLok Protocol ................................................................................. 1305.5.12 Configuring the DNP Protocol ....................................................................................... 1315.5.13 Configuring the DNP Over Raw Socket Protocol ............................................................ 1335.5.14 Configuring the Mirrored Bits Protocol ........................................................................... 1345.5.15 Configuring the Telnet Com Port Protocol ...................................................................... 1365.5.16 Managing Raw Socket Remote Hosts ........................................................................... 138

5.5.16.1 Viewing a List of Remote Hosts ......................................................................... 1385.5.16.2 Adding a Remote Host ...................................................................................... 1395.5.16.3 Deleting a Remote Host .................................................................................... 140

5.5.17 Managing Device Addresses ........................................................................................ 1415.5.17.1 Viewing a List of Device Addresses .................................................................... 1415.5.17.2 Adding a Device Address .................................................................................. 1425.5.17.3 Deleting a Device Address ................................................................................. 143

5.5.18 Viewing the TIN Dynamic Address Table ....................................................................... 1445.5.19 Viewing Statistics for Serial Protocol Links ..................................................................... 1455.5.20 Viewing Statistics for Serial Protocol Connections .......................................................... 1465.5.21 Viewing Serial Port Statistics ........................................................................................ 1475.5.22 Clearing Statistics for Specific Serial Ports .................................................................... 1485.5.23 Resetting Serial Ports .................................................................................................. 148

Chapter 6

Troubleshooting ................................................................................................ 1496.1 General .................................................................................................................................... 149

Table of Contents


viii


Preface

Conventions ix

PrefaceThis guide describes v4.1 of ROS (Rugged Operating System) running on the RUGGEDCOM RP110. It containsinstructions and guidelines on how to use the software, as well as some general theory.

It is intended for use by network technical support personnel who are familiar with the operation of networks. It isalso recommended for us by network and system planners, system programmers, and line technicians.

IMPORTANT!Some of the parameters and options described may not be available depending on variations in thedevice hardware. While every attempt is made to accurately describe the specific parameters andoptions available, this Guide should be used as a companion to the Help text included in the software.

ConventionsThis User Guide uses the following conventions to present information clearly and effectively.

AlertsThe following types of alerts are used when necessary to highlight important information.

DANGER!DANGER alerts describe imminently hazardous situations that, if not avoided, will result in death orserious injury.

WARNING!WARNING alerts describe hazardous situations that, if not avoided, may result in serious injury and/orequipment damage.

CAUTION!CAUTION alerts describe hazardous situations that, if not avoided, may result in equipment damage.

IMPORTANT!IMPORTANT alerts provide important information that should be known before performing a procedureor step, or using a feature.

NOTENOTE alerts provide additional information, such as facts, tips and details.

Preface


x CLI Command Syntax

CLI Command SyntaxThe syntax of commands used in a Command Line Interface (CLI) is described according to the followingconventions:

Example Description

command Commands are in bold.

command parameter Parameters are in plain text.

command parameter1 parameter2 Parameters are listed in the order they must be entered.

command parameter1 parameter2 Parameters in italics must be replaced with a user-defined value.

command [parameter1 | parameter2] Alternative parameters are separated by a vertical bar (|).

Square brackets indicate a required choice between two or moreparameters.

command {parameter3 | parameter4} Curly brackets indicate an optional parameter(s).

command parameter1 parameter2 {parameter3 |parameter4}

All commands and parameters are presented in the order they mustbe entered.

Related DocumentsOther documents that may be of interest include:

• RUGGEDCOM RP110 Installation Guide

• RUGGEDCOM RP110 Data Sheet

• RUGGEDCOM Fiber Guide

• RUGGEDCOM Wireless Guide

• White Paper: Rapid Spanning Tree in Industrial Networks

System RequirementsEach workstation used to connect to the ROS interface must meet the following system requirements:

• Must have one of the following Web browsers installed:

▪ Microsoft Internet Explorer 8.0 or higher

▪ Mozilla Firefox

▪ Google Chrome

▪ Iceweasel/IceCat (Linux Only)

• Must have a working Ethernet interface compatible with at least one of the port types on the RUGGEDCOMdevice

• The ability to configure an IP address and netmask on the computer’s Ethernet interface


Preface

Accessing Documentation xi

Accessing DocumentationThe latest Hardware Installation Guides and Software User Guides for most RUGGEDCOM products areavailable online at www.siemens.com/ruggedcom.

For any questions about the documentation or for assistance finding a specific document, contact a Siemenssales representative.

TrainingSiemens offers a wide range of educational services ranging from in-house training of standard courses onnetworking, Ethernet switches and routers, to on-site customized courses tailored to the customer's needs,experience and application.

Siemens' Educational Services team thrives on providing our customers with the essential practical skills to makesure users have the right knowledge and expertise to understand the various technologies associated with criticalcommunications network infrastructure technologies.

Siemens' unique mix of IT/Telecommunications expertise combined with domain knowledge in the utility,transportation and industrial markets, allows Siemens to provide training specific to the customer's application.

For more information about training services and course availability, visit www.siemens.com/ruggedcom orcontact a Siemens sales representative.

Customer SupportCustomer support is available 24 hours, 7 days a week for all Siemens customers. For technical support orgeneral information, contact Siemens Customer Support through any of the following methods:

• OnlineVisit http://www.siemens.com/automation/support-request to submit a Support Request (SR) or check on thestatus of an existing SR.

• TelephoneCall a local hotline center to submit a Support Request (SR). To locate a local hotline center, visit http://www.automation.siemens.com/mcms/aspa-db/en/automation-technology/Pages/default.aspx.

• Mobile AppInstall the Industry Online Support app by Siemens AG on any Android, Apple iOS or Windows mobile deviceand be able to:

▪ Access Siemens' extensive library of support documentation, including FAQs, manuals, and much more

▪ Submit SRs or check on the status of an existing SR

▪ Find and contact a local contact person

▪ Ask questions or share knowledge with fellow Siemens customers and the support community

▪ And much more...

http://www.siemens.com/ruggedcomhttp://www.siemens.com/ruggedcomhttp://www.siemens.com/automation/support-requesthttp://www.automation.siemens.com/mcms/aspa-db/en/automation-technology/Pages/default.aspxhttp://www.automation.siemens.com/mcms/aspa-db/en/automation-technology/Pages/default.aspx


Preface

Customer Support xii


Chapter 1Introduction

Overview 1

IntroductionThis chapter provides a basic overview of the ROS software. It describes the following topics:

• Section 1.1, “Overview”

• Section 1.2, “Security Recommendations and Considerations”

• Section 1.3, “Available Services by Port”

• Section 1.4, “SNMP Management Interface Base (MIB) Support”

• Section 1.5, “SNMP Traps”

• Section 1.6, “ModBus Management Support”

• Section 1.7, “Certificate and Key Requirements”

Section 1.1

OverviewWelcome to the ROS Software User Guide for the RP110. This Guide describes the wide array of carrier gradefeatures made available by ROS (Rugged Operating System). These features include:

IMPORTANT!The RP110 is not intended for use or resale as online control equipment in hazardous, high-riskenvironments that require fail-safe performance, such as nuclear facilities, aircraft navigation orcommunication systems, air traffic control, direct life support machines or weapons systems, in whichthe failure of the software could result in death, personal injury, or severe physical or environmentaldamage.

Cyber Security Features

• Muti-level user passwords• SSH/SSL (128-bit encryption)• RADIUS centralized password management• SNMPv3 authentication and 56-bit encryption

Management Features

• Web-based, Telnet, CLI management interfaces• SNMP v1/v2/v3 (56-bit encryption)• Remote Monitoring (RMON)• Rich set of diagnostics with logging and alarms



2 Security Recommendations and Considerations

Section 1.2

Security Recommendations and ConsiderationsThe following describes important security-related recommendations and suggestions that should be consideredbefore implementing the RP110 on any network:

• Section 1.2.1, “Security Recommendations”

• Section 1.2.2, “Key Files”

Section 1.2.1

Security RecommendationsTo prevent unauthorized access to the device, note the following security recommendations:

• Do not connect the device to the Internet. Deploy the device only within a secure network perimeter.

• Replace the default passwords for all user accounts and processes (where applicable) before the device isdeployed.

• Use strong passwords. Avoid weak passwords such as password1, 123456789, abcdefgh, etc. For moreinformation about creating strong passwords, refer to the password requirements in Section 4.3, “ConfiguringPasswords”.

• Make sure passwords are protected and not shared with unauthorized personnel.

• Passwords should not be re-used across different usernames and systems, or after they expire.

• When RADIUS authentication is done remotely, make sure all communications are within the security perimeteror on a secure channel.

• SSL and SSH keys are accessible to users who connect to the device via the serial console. Make sure to takeappropriate precautions when shipping the device beyond the boundaries of the trusted environment:

▪ Replace the SSH and SSL keys with throwaway keys prior to shipping.

▪ Take the existing SSH and SSL keys out of service. When the device returns, create and program new keysfor the device.

• Restrict physical access to the device to only trusted personnel. A person with malicious intent could extractcritical information, such as certificates, keys, etc. (user passwords are protected by hash codes), or reprogramthe device.

• Control access to the serial console to the same degree as any physical access to the device. Access to theserial console allows for potential access to the ROS boot loader, which includes tools that may be used to gaincomplete access to the device.

• Only enable services that will be used on the device, including physical ports. Unused physical ports couldpotentially be used to gain access to the network behind the device.

• If SNMP is enabled, limit the number of IP addresses that can connect to the device and change thecommunity names. Also configure SNMP to raise a trap upon authentication failures. For more information,refer to Section 5.3, “Managing SNMP”.

• Avoid using insecure services such as Telnet and TFTP, or disable them completely if possible. These servicesare available for historical reasons and are disabled by default.

• Limit the number of simultaneous Web Server, Telnet and SSH sessions allowed.

• Configure remote system logging to forward all logs to a central location. For more information, refer toSection 3.6, “Managing Logs”.



Key Files 3

• Configuration files are provided in the CSV (comma separated values) format for ease of use. Make sureconfiguration files are properly protected when they exist outside of the device. For instance, encrypt the files,store them in a secure place, and do not transfer them via insecure communication channels.

• Management of the configuration file, certificates and keys is the responsibility of the device owner. Beforereturning the device to Siemens for repair, make sure encryption is disabled (to create a cleartext version of theconfiguration file) and replace the current certificates and keys with temporary throwaway certificates and keysthat can be destroyed upon the device's return.

• Be aware of any non-secure protocols enabled on the device. While some protocols, such as HTTPS andSSH, are secure, others, such as Telnet and RSH, were not designed for this purpose. Appropriate safeguardsagainst non-secure protocols should be taken to prevent unauthorized access to the device/network.

• Periodically audit the device to make sure it complies with these recommendations and/or any internal securitypolicies.

Section 1.2.2

Key FilesROS uses security keys to establish secure remote logins (SSH) and Web access (SSL).

It is strongly recommended that a unique SSL certificate and SSH keys be created and provisioned. New ROS -based units from Siemens will be shipped with a unique certificate and keys preconfigured in the ssl.crt andssh.keys flash files.

The default and auto-generated SSL certificates are self-signed. It is recommended to use an SSL certificate thatis either signed by a trusted third-party Certificate Authority (CA) or by an organization's own CA. This techniqueis described in the Siemens application note: Creating/Uploading SSH Keys and SSL Certificates to ROS UsingWindows, available from www.siemens.com/ruggedcom.

The sequence of events related to Key Management during an upgrade to ROS v4.1 or later is as follows:

NOTEThe auto-generation of SSH keys is not available for Non-Controlled (NC) versions of ROS.

• On first boot, ROS will start the SSH and SSL services using the default keys.

• Immediately after boot, ROS will start to generate a unique SSL certificate and SSH key pair, and save eachone to its corresponding flash file. As each one is created, the corresponding service is immediately restartedwith the new keys.

• At any time during the key generation process, custom keys can be uploaded. The custom keys will takeprecedence over both the default and auto-generated keys.

• On subsequent boot, if there is a valid ssl.crt file, the default certificate will not be used for SSL. If there is avalid ssh.keys file, the default SSH key will not be used.

• At any time, new keys may be uploaded or generated by ROS using the sslkeygen or sshkeygen CLIcommands.

The following sections describe SSL certificates and SSH key pairs in more detail:

• Section 1.2.2.1, “SSL Certificates”

• Section 1.2.2.2, “SSH Key Pairs”

http://www.siemens.com/ruggedcom



4 SSL Certificates

Section 1.2.2.1

SSL CertificatesROS supports SSL certificates that conform to the following specifications:

• X.509 v3 digital certificate format

• PEM format

• RSA key pair, 512 to 2048 bits

The RSA key pair used in the default certificate and in those generated by ROS uses a public key of 1024 bits inlength.

NOTERSA keys smaller than 1024 bits in length are not recommended. Support is only included here forcompatibility with legacy equipment.

NOTEThe default certificate and keys are common to all ROS versions without a certificate or key files. Thatis why it is important to either allow the key auto-generation to complete or to provision custom keys. Inthis way, one has at least unique, and at best, traceable and verifiable keys installed when establishingsecure communication with the unit.

The following (bash) shell script fragment uses the openssl command line utility to generate a self-signedX.509 v3 SSL certificate with a 1024 bit RSA key suitable for use in ROS . Note that two standard PEM files arerequired: the SSL certificate and the RSA private key file. These are concatenated into the resulting ssl.crt file,which may then be uploaded to ROS:

# RSA key size:BITS=1024# 20 years validity:DAYS=7305

# Values that will be stored in the Distinguished Name fields:

COUNTRY_NAME=CA # Two-letter country codeSTATE_OR_PROVINCE_NAME=Ontario # State or ProvinceLOCALITY_NAME=Concord # CityORGANIZATION=Ruggedcom.com # Your organization's nameORGANIZATION_CA=${ORGANIZATION}_CA # Your Certificate AuthorityCOMMON_NAME=RC # The DNS or IP address of the ROS unitORGANIZATIONAL_UNIT=ROS # Organizational unit name

# Variables used in the construction of the certificateREQ_SUBJ="/C=${COUNTRY_NAME}/ST=${STATE_OR_PROVINCE_NAME}/L=${LOCALITY_NAME}/O=${ORGANIZATION}/OU=${ORGANIZATIONAL_UNIT}/CN=${COMMON_NAME}/"REQ_SUBJ_CA="/C=${COUNTRY_NAME}/ST=${STATE_OR_PROVINCE_NAME}/L=${LOCALITY_NAME}/O=${ORGANIZATION_CA}/OU=${ORGANIZATIONAL_UNIT}/"

######################################################################### Make the self-signed SSL certificate and RSA key pair:

openssl req -x509 -newkey rsa:${BITS} -nodes \ -days ${DAYS} -subj ${REQ_SUBJ} \ -keyout ros_ssl.key \ -out ros_ssl.crt

# Concatenate Cert and Key into a single file suitable for upload to ROS:# Note that cert must precede the RSA key:cat ros_ssl.crt ros_ssl.key > ssl.crt



SSH Key Pairs 5

For information on creating SSL certificates for use with ROS in a Microsoft Windows environment, refer to thefollowing Siemens application note: Creating/Uploading SSH Keys and SSL Certificates to ROS Using Windows.

The following is an example of a self-signed SSL certificate generated by ROS:

Certificate: Data: Version: 3 (0x2) Serial Number: ca:01:2d:c0:bf:f9:fd:f2 Signature Algorithm: sha1WithRSAEncryption Issuer: C=CA, ST=Ontario, L=Concord, O=RuggedCom.com, OU=RC, CN=ROS Validity Not Before: Dec 6 00:00:00 2012 GMT Not After : Dec 7 00:00:00 2037 GMT Subject: C=CA, ST=Ontario, L=Concord, O=RuggedCom.com, OU=RC, CN=ROS Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:83:e8:1f:02:6b:cd:34:1f:01:6d:3e:b6:d3:45: b0:18:0a:17:ae:3d:b0:e9:c6:f2:0c:af:b1:3e:e7: fd:f2:0e:75:8d:6a:49:ce:47:1d:70:e1:6b:1b:e2: fa:5a:1b:10:ea:cc:51:41:aa:4e:85:7c:01:ea:c3: 1e:9e:98:2a:a9:62:48:d5:27:1e:d3:18:cc:27:7e: a0:94:29:db:02:5a:e4:03:51:16:03:3a:be:57:7d: 3b:d1:75:47:84:af:b9:81:43:ab:90:fd:6d:08:d3: e8:5b:80:c5:ca:29:d8:45:58:5f:e4:a3:ed:9f:67: 44:0f:1a:41:c9:d7:62:7f:3f Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Key Identifier: EC:F3:09:E8:78:92:D6:41:5F:79:4D:4B:7A:73:AD:FD:8D:12:77:88 X509v3 Authority Key Identifier: keyid:EC:F3:09:E8:78:92:D6:41:5F:79:4D:4B:7A:73:AD:FD:8D:12:77:88 DirName:/C=CA/ST=Ontario/L=Concord/O=RuggedCom.com/OU=RC/CN=ROS serial:CA:01:2D:C0:BF:F9:FD:F2 X509v3 Basic Constraints: CA:TRUE Signature Algorithm: sha1WithRSAEncryption 64:cf:68:6e:9f:19:63:0e:70:49:a6:b2:fd:09:15:6f:96:1d: 4a:7a:52:c3:46:51:06:83:7f:02:8e:42:b2:dd:21:d2:e9:07: 5c:c4:4c:ca:c5:a9:10:49:ba:d4:28:fd:fc:9d:a9:0b:3f:a7: 84:81:37:ca:57:aa:0c:18:3f:c1:b2:45:2a:ed:ad:dd:7f:ad: 00:04:76:1c:f8:d9:c9:5c:67:9e:dd:0e:4f:e5:e3:21:8b:0b: 37:39:8b:01:aa:ca:30:0c:f1:1e:55:7c:9c:1b:43:ae:4f:cd: e4:69:78:25:5a:a5:f8:98:49:33:39:e3:15:79:44:37:52:da: 28:dd

Section 1.2.2.2

SSH Key PairsControlled versions of ROS support SSH public/private key pairs that conform to the following specifications:

• PEM format

• DSA key pair, 512 to 2048 bits in length

The DSA key pair used in the default key pair and in those generated by ROS uses a public key of 1024 bits inlength.



6 Available Services by Port

NOTEDSA keys smaller than 1024 bits in length are not recommended, and support is only included here forcompatibility with legacy equipment.

The following (bash) shell script fragment uses the ssh-keygen command line utility to generate a 1024 bit DSAkey suitable for use in ROS . The resulting ssh.keys file, which may then be uploaded to ROS:

# DSA key size:BITS=1024

# Make an SSH key pair:ssh-keygen -t dsa -b 1024 -N '' -f ssh.keys

The following is an example of an SSH key generated by ROS:

Private-Key: (1024 bit)priv: 00:b2:d3:9d:fa:56:99:a5:7a:ba:1e:91:c5:e1:35: 77:85:e8:c5:28:36pub: 6f:f3:9e:af:e6:d6:fd:51:51:b9:fa:d5:f9:0a:b7: ef:fc:d7:7c:14:59:52:48:52:a6:55:65:b7:cb:38: 2e:84:76:a3:83:62:d0:83:c5:14:b2:6d:7f:cc:f4: b0:61:0d:12:6d:0f:5a:38:02:67:a4:b7:36:1d:49: 0a:d2:58:e2:ff:4a:0a:54:8e:f2:f4:c3:1c:e0:1f: 9b:1a:ee:16:e0:e9:eb:c8:fe:e8:16:99:e9:61:81: ed:e4:f2:58:fb:3b:cb:c3:f5:9a:fa:ed:cd:39:51: 47:90:5d:6d:1b:27:d5:04:c5:de:57:7e:a7:a3:03: e8:fb:0a:d5:32:89:40:12P: 00:f4:81:c1:9b:5f:1f:eb:ac:43:2e:db:dd:77:51: 6e:1c:62:8d:4e:95:c6:e7:b9:4c:fb:39:9c:9d:da: 60:4b:0f:1f:c6:61:b0:fc:5f:94:e7:45:c3:2b:68: 9d:11:ba:e1:8a:f9:c8:6a:40:95:b9:93:7c:d0:99: 96:bf:05:2e:aa:f5:4e:f0:63:02:00:c7:c2:52:c7: 1a:70:7c:f7:e5:fe:dd:3d:57:02:86:ae:d4:89:20: ca:4b:46:80:ea:de:a1:30:11:5c:91:e2:40:d4:a3: 82:c5:40:3b:25:8e:d8:b2:85:cc:f5:9f:a9:1d:ea: 0a:ac:77:95:ee:d6:f7:61:e3Q: 00:d5:db:48:18:bd:ec:69:99:eb:ff:5f:e1:40:af: 20:80:6d:5c:b1:23G: 01:f9:a1:91:c0:82:12:74:49:8a:d5:13:88:21:3e: 32:ea:f1:74:55:2b:de:61:6c:fd:dd:f5:e1:c5:03: 68:b4:ad:40:48:58:62:6c:79:75:b1:5d:42:e6:a9: 97:86:37:d8:1e:e5:65:09:28:86:2e:6a:d5:3d:62: 50:06:b8:d3:f9:d4:9c:9c:75:84:5b:db:96:46:13: f0:32:f0:c5:cb:83:01:a8:ae:d1:5a:ac:68:fb:49: f9:b6:8b:d9:d6:0d:a7:de:ad:16:2b:23:ff:8e:f9: 3c:41:16:04:66:cf:e8:64:9e:e6:42:9a:d5:97:60: c2:e8:9e:f4:bc:8f:6f:e0

Section 1.3

Available Services by PortThe following table lists the services available under ROS. This table includes the following information:

• Services



Available Services by Port 7

The service supported by the device.

• Port NumberThe port number associated with the service.

• Port OpenThe port state, whether it is always open and cannot be closed, or open only, but can be configured.

NOTEIn certain cases, the service might be disabled, but the port can still be open (e.g. TFTP).

• Port DefaultThe default state of the port (i.e. open or closed).

• Access AuthorizedDenotes whether the ports/services are authenticated during access.

Services Port Number Port Open Port Default AccessAuthorized Note

Telnet TCP/23 Open(configurable)

Closed Yes Only availablethrough twomanagementinterfaces.

HTTP TCP/80 Open, redirectsto 443

Open —

HTTPS TCP/443 Open Open Yes

RSH TCP/512 Open(configurable)


TFTP UDP/69 Open(configurable)

Closed No Only availablethrough twomanagementinterfaces.

SFTP TCP/22 Open Open Yes Only availablethrough twomanagementinterfaces.

SNMP UDP/161 Open(configurable)


SNTP UDP/123 Open - Alwaysmight acts asserver

Open No Only availablethrough twomanagementinterfaces.

SSH TCP/22 Open Open Yes Only availablethrough twomanagementinterfaces.

ICMP — Open Open No



8 Available Services by Port


TACACS+ TCP/49(configurable)

Open(configurable)

Closed Yes

RADIUS UDP/1812to send(configurable),opens randomport to listen to

Open(configurable)


Remote Syslog UDP/514(configurable)

Open(configurable)

Closed No Only availablethrough twomanagementinterfaces.

DNP over RawSocket TCP/21001 toTCP/21016

Open(configurable)

Closed No

DNPv3 UDP/20000

TCP/20000

UDP Open;TCP open afterconfigured firsttime - can not beclosed

UDP Open; TCPClosed

No

RawSocket/Telnet COM UDP/50001 toUDP/50016

TCP/50001 toTCP/50016

Open(configurable)

Closed No

Preemptive RAW Socket TCP/62001 toTCP/62016

Open(configurable)

Closed No

TIN UDP/51000

TCP/51000


UDP Open; TCPClosed

No

WIN UDP/52000

TCP/52000


UDP Open; TCPClosed

No

MICROLOK UDP/60000 UDP Open;TCP open afterconfigured firsttime - can not beclosed

UDP Open; TCPClosed

No

MirroredBits UDP/61001 toUDP/61016

Open(configurable)

Closed No

TCP Modbus (Server) TCP/502 Open Open No Only availablethrough twomanagementinterfaces.

TCP Modbus (Switch) TCP/502 Open(configurable)

Closed No

DHCP, DHCP Agent UDP/67 sendingmsg if enabled - ifreceived, alwayscome to CPU,

Open Open No



SNMP Management Interface Base (MIB) Support 9


dropped if servicenot configured

RCDP — Open(configurable)

Closed Yes

Section 1.4

SNMP Management Interface Base (MIB) SupportROS supports a variety of standard MIBs, proprietary RUGGEDCOM MIBs and Agent Capabilities MIBs, all forSNMP (Simple Network Management Protocol).

• Section 1.4.1, “Supported Standard MIBs”

• Section 1.4.2, “Supported Proprietary RUGGEDCOM MIBs”

• Section 1.4.3, “Supported Agent Capabilities”

Section 1.4.1

Supported Standard MIBsROS supports the following standard MIBs:

Standard MIB Name Title

RFC 2578 SNMPv2-SMI Structure of Management Information Version 2

RFC 2579 SNMPv2-TC Textual Convention s for SMIv2

SNMPv2-CONF Conformance Statements for SMIv2RFC 2580

IANAifType Enumerated Values of the ifType Object Defined ifTable defined inIF-MIB

RFC 1907 SNMPv2-MIB Management Information Base for SNMPv2

RFC 2011 IP-MIB SNMPv2 Mnagement Information Base for Internet Protocol usingSMIv2

RFC 2012 TCP-MIB SNMPv2 Management Information Base for the TransmissionControl Protocol using SMIv2

RFC 2013 UDP-MIB Management Information Base for the UDP using SMIv2

RFC 1659 RS-232-MIB Definitions of Managed Objects for RS-232-like Hardware Devices

RFC 2863 IF-MIB The Interface Group MIB

RFC 2819 RMON-MIB Remote Network Monitoring (RMON) management Information base

RFC 4188 BRIDGE-MIB Definitions of Managed Objects for Bridges

RFC 4318 RSTP-MIB Definitions of Managed Objects for Bridges with Rapid SpanningTree Protocol

RFC 3411 SNMP-FRAMEWORK-MIB An Architecture for Describing Simple Network ManagementProtocol (SNMP) Management Framework



10 Supported Proprietary RUGGEDCOM MIBs

Standard MIB Name Title

RFC 3414 SNMP-USER-BASED-SM-MIB User-based Security Model (USM) for Version 3 of the SimpleNetwork Management Protocol (SNMPv3)

RFC 3415 SNMP-VIEW-BASED-ACM-MIB View-bsed Access Control Model (VACM) for the SimpleManagement Protocol (SNMP)

IEEE 802.3ad IEEE8023-LAG-MIB Management Information Base Module for Link Aggregation

IEEE 802.1AB-2005 LLDP-MIB Management Information Base Module for LLDP Configuration,Statistics, Local System Data and Remote Systems DataComponents

RFC 4363 Q-BRIDGE-MIB Definitions of Managed Objects for Bridges with Traffic Classes,Multicast Filtering, and Virtual LAN Extensions

Section 1.4.2

Supported Proprietary RUGGEDCOM MIBsROS supports the following proprietary RUGGEDCOM MIBs:

File Name MIB Name Description

ruggedcom.mib RUGGEDCOM-MIB RUGGEDCOM enterprise SMI

ruggedcomtraps.mib RUGGEDCOM-TRAPS-MIB RUGGEDCOM traps definition

rcsysinfo.mib RUGGEDCOM-SYS-INFO-MIB General system information aboutRUGGEDCOM device

rcDot11.mib RUGGEDCOM-DOT11-MIB Managemet for wireless interface onRUGGEDCOM device

rcPoe.mib RUGGEDCOM-POE-MIB Management for PoE ports onRUGGEDCOM device

rcSerial.mib RUGGEDCOM-SERIAL-MIB Managemet for seral ports onRUGGEDCOM device

rcRstp.mib RUGGEDCOM-STP-MIB Management for RSTP protocol

Section 1.4.3

Supported Agent CapabilitiesROS supports the following agent capabilities for the SNMP agent:

NOTEFor information about agent capabilities for SNMPv2, refer to RFC 2580 [http://tools.ietf.org/html/rfc2580].

File Name MIB Name Supported MIB

rcsnmpv2AC.mib RC-SNMPv2-MIB-AC SNMPv2-MIB

rcudpmibAC.mib RC-UDP-MIB-AC UDP-MIB

rctcpmibAC.mib RC-TCP-MIB-AC TCP-MIB

http://tools.ietf.org/html/rfc2580http://tools.ietf.org/html/rfc2580http://tools.ietf.org/html/rfc2580



SNMP Traps 11

File Name MIB Name Supported MIB

rcSnmpUserBasedSmMibAC.mib RC-SNMP-USER-BASED-SM-MIB-AC SNMP-USER-BASED-SM-MIB-AC

rcSnmpViewBasedAcmMibAC.mib RC-SNMP-VIEW-BASED-ACM-MIB-AC SNMP-VIEW-BASED-ACM-MIB-AC

rcifmibAC.mib RC-IF-MIB-AC IF-MIB

rcbridgemibAC.mib RC-BRIDGE-MIB-AC BRIDGE-MIB

rcrmonmibAC.mib RC-RMON-MIB-AC RMON-MIB

rcqbridgemibAC.mib RC-Q-BRIDGE-MIB-AC Q-BRIDGE-MIB

rcipmibAC.mib RC-IP-MIB-AC IP-MIB

rclldpmibAC.mib RC-LLDP-MIB-AC LLDP-MIB

rclagmibAC.mib RC-LAG-MIB-AC IEEE8023-LAG-MIB

rcrstpmibAC.mib RC_RSTP-MIB-AC RSTP-MIB

rcrcdot11AC.mib RC-RUGGEDCOM-DOT11-MIB-AC RUGGEDCOM-DOT11- MIB

rcrcpoeAC.mib RC-RUGGEDCOM-POE-MIB-AC RUGGEDCOM-POE-MIB

rcrcrstpmibAC.mib RC-RUGGEDCOM-STP-AC-MIB RUGGEDCOM-STP-MIB

rcrcsysinfomibAC.mib RC-RUGGEDCOM-SYS-INFO-MIB-AC RUGGEDCOM-SYS-INFO-MIB

rcrctrapsmibAC.mib RC-RUGGEDCOM-TRAPS-MIB-AC RUGGEDCOM-TRAPS-MIB

rcrs232mibAC.mib RUGGEDCOM_RS-232-MIB-AC RS-232-MIB

rcserialmibAC.mib RC-RUGGEDCOM-SERIAL-MIB-AC RUGGEDCOM-SERIAL-MIB

Section 1.5

SNMP TrapsThe device generates the following standard traps:

Table: Standard Traps

Trap MIB

linkDown

linkUp

IF-MIB

authenticationFailure

coldStart

SNMPv2-MIB

newRoot

topologyChage

BRIDGE-MIB

risingAlarm

fallingAlarm

RMON-MIB

lldpRemoteTablesChange LLDP-MIB

The device also generates the following proprietary traps:



12 ModBus Management Support

Table: Proprietary Traps

Trap MIB

genericTrap

powerSupplyTrap

swUpgradeTrap

cfgChangeTrap

weakPasswordTrap

defaultKeysTrap

RUGGEDCOM-TRAPS-MIB

Generic traps carry information about events in their severity and description objects. They are sent at the sametime an alarm is generated for the device. The following are examples of RUGGEDCOM generic traps:

NOTEInformation about generic traps can be retrieved using the CLI command alarms. For moreinformation about the alarms command, refer to Section 2.6.1, “Available CLI Commands”.

Table: Generic Traps

Trap Severity

heap error Alert

NTP server failure notification

real time clock failure Error

failed password Warning

MAC address not learned by switch fabric Warning

BootP client: TFTP transfer failure Error

received looped back BPDU Error

received two consecutive confusing BPDUs on port, forcing down Error

The device generates the following traps when specific events occur:

Table: Event-Based Traps

Trap MIB Event

rcRstpNewTopology RUGGEDCOM-STP-MIB This trap is generated when the devicetopology becomes stable after a topologychange occurs on a switch port.

Section 1.6

ModBus Management SupportModbus management support in RUGGEDCOM devices provides a simple interface for retrieving basic statusinformation. ModBus support simplifies the job of SCADA (Supervisory Control and Data Acquisition) systemintegrators by providing familiar protocols for retrieving RUGGEDCOM device information. ModBus providesmostly read-only status information, but there are some writable registers for operator commands.

The ModBus protocol PDU (Protocol Data Unit) format is as follows:



ModBus Function Codes 13

Function Code Data

The following sections describe the support for ModBus management:

• Section 1.6.1, “ModBus Function Codes”

• Section 1.6.2, “ModBus Memory Map”

• Section 1.6.3, “ModBus Memory Formats”

Section 1.6.1

ModBus Function CodesRUGGEDCOM devices support the following ModBus function codes for device management through ModBus:

NOTEWhile RUGGEDCOM devices have a variable number of ports, not all registers and bits apply to allproducts.

Registers that are not applicable to a particular device return a zero (0) value. For example, registersreferring to serial ports are not applicable to RUGGEDCOM switch devices.

Read Input Registers or Read Holding Registers — 0x04 or 0x03Example PDU Request

Function Code 1 Byte 0x04(0x03)

Starting Address 2 Bytes 0x0000 to 0xFFFF (Hexadecimal)

128 to 65535 (Decimal)

Number of Input Registers 2 Bytes Bytes 0x0001 to 0x007D

Example PDU Response

Function Code 1 Byte 0x04(0x03)

Byte Count 1 Byte 2 x Na

Number of Input Registers Na x 2 Bytes

a The number of input registers

Write Multiple Registers — 0x10Example PDU Request

Function Code 1 Byte 0x10

Starting Address 2 Bytes 0x0000 to 0xFFFF

Number of Input Registers 2 Bytes Bytes 0x0001 to 0x0079

Byte Count 1 Byte 2 x Nb

Registers Value Nb x 2 Bytes Value of the register

b The number of input registers

Example PDU Response

Function Code 1 Byte 0x10



14 ModBus Memory Map

Starting Address 2 Bytes 0x0000 to 0xFFFF

Number of Registers 2 Bytes 1 to 121 (0x79)

Section 1.6.2

ModBus Memory MapThe following details how ModBus process variable data is mapped.

Product InfoThe following data is mapped to the Productinfo table:

Address #Registers Description (Reference Table in UI) R/W Format

0000 16 Product Identification R Text

0010 32 Firmware Identification R Text

0040 1 Number of Ethernet Ports R Uint16

0041 1 Number of Serial Ports R Uint16

0042 1 Number of Alarms R Uint16

0043 1 Power Supply Status R PSStatusCmd

0044 1 FailSafe Relay Status R TruthValue

0045 1 ErrorAlarm Status R TruthValue

Product Write RegisterThe following data is mapped to various tables:


0080 1 Clear Alarms W Cmd

0081 2 Reset Ethernet Ports W PortCmd

0083 2 Clear Ethernet Statistics W PortCmd

0085 2 Reset Serial Ports W PortCmd

0087 2 Clear Serial Port Statistics W PortCmd

AlarmsThe following data is mapped to the alarms table:


0100 64 Alarm 1 R Alarm



01C0 64 Alarm 4 R Alarm




ModBus Memory Map 15




02C0 64 Alarm 8 R Alarm

Ethernet Port StatusThe following data is mapped to the ethPortStats table:


03FE 2 Port Link Status R PortCmd

Ethernet StatisticsThe following data is mapped to the rmonStats table:


0400 2 Port s1/p1 Statistics - Ethernet In Packets R Uinst32





040A 2 Port s2/p2 Statistics - Ethernet In Packets R Uinst32

040C 2 Port s2/p3 Statistics - Ethernet In Packets R Uinst32

040E 2 Port s2/p4 Statistics - Ethernet In Packets R Uinst32

























0440 2 Port s1/p1 Statistics - Ethernet Out Packets R Uinst32





044A 2 Port s2/p2 Statistics - Ethernet Out Packets R Uinst32

044C 2 Port s2/p3 Statistics - Ethernet Out Packets R Uinst32

044E 2 Port s2/p4 Statistics - Ethernet Out Packets R Uinst32

























ModBus Memory Map 17
















04A0 2 Port s5/p1 Statistics - Ethernet In Packets R Uinst32





04AA 2 Port s6/p2 Statistics - Ethernet In Packets R Uinst32

04AC 2 Port s6/p3 Statistics - Ethernet In Packets R Uinst32

04AE 2 Port s6/p4 Statistics - Ethernet In Packets R Uinst32

04B0 2 Port s7/p1 Statistics - Ethernet In Packets R Uinst32




04C0 2 Port s1/p1 Statistics - Ethernet Out Packets R Uinst32





04CA 2 Port s2/p2 Statistics - Ethernet Out Packets R Uinst32

04CC 2 Port s2/p3 Statistics - Ethernet Out Packets R Uinst32

04CE 2 Port s2/p4 Statistics - Ethernet Out Packets R Uinst32





04D0 2 Port s3/p1 Statistics - Ethernet Out Packets R Uinst32





04DA 2 Port s4/p2 Statistics - Ethernet Out Packets R Uinst32

04DC 2 Port s4/p3 Statistics - Ethernet Out Packets R Uinst32

04DE 2 Port s4/p4 Statistics - Ethernet Out Packets R Uinst32

04E0 2 Port s5/p1 Statistics - Ethernet Out Packets R Uinst32





04EA 2 Port s6/p2 Statistics - Ethernet Out Packets R Uinst32

04EC 2 Port s6/p3 Statistics - Ethernet Out Packets R Uinst32

04EE 2 Port s6/p4 Statistics - Ethernet Out Packets R Uinst32

04F0 2 Port s7/p1 Statistics - Ethernet Out Packets R Uinst32




Serial StatisticsThe following data is mapped to the uartPortStatus table:


0600 2 Port 1 Statistics – Serial In characters R Uint32




0640 2 Port 1 Statistics – Serial Out characters R Uint32




0680 2 Port 1 Statistics – Serial In Packets R Uint32





ModBus Memory Formats 19



06C0 2 Port 1 Statistics – Serial Out Packets R Uint32




Section 1.6.3

ModBus Memory FormatsThe following ModBus memory formats are supported by Siemens:

• Section 1.6.3.1, “Text”

• Section 1.6.3.2, “Cmd”

• Section 1.6.3.3, “Uint16”

• Section 1.6.3.4, “Uint32”

• Section 1.6.3.5, “PortCmd”

• Section 1.6.3.6, “Alarm”

• Section 1.6.3.7, “PSStatusCmd”

• Section 1.6.3.8, “TruthValues”

Section 1.6.3.1

TextThe Text format provides a simple ASCII representation of the information related to the product. The mostsignificant register byte of an ASCII characters comes first.

For example, consider a Read Multiple Registers request to read Product Identification from location 0x0000.

0x04 0x00 0x00 0x00 0x08

The response may look like:

0x04 0x10 0x53 0x59 0x53 0x54 0x45 0x4D 0x20 0x4E 0x41 0x4D 0x45

0x00 0x00 0x00 0x00 0x00

In this example, starting from byte 3 until the end, the response presents an ASCII representation of thecharacters for the product identification, which reads as SYSTEM NAME. Since the length of this field is smallerthan eight registers, the rest of the field is filled with zeros (0).

Section 1.6.3.2

CmdThe Cmd format instructs the device to set the output to either true or false. The most significant byte comes first.



20 Uint16

• FF 00 hex requests output to be True

• 00 00 hex requests output to be False

• Any value other than the suggested values does not affect the requested operation

For example, consider a Write Multiple Registers request to clear alarms in the device.

0x10 0x00 0x80 0x00 0x01 2 0xFF 0x00

• FF 00 for register 00 80 clears the system alarms

• 00 00 does not clear any alarms


0x10 0x00 0x80 0x00 0x01

Section 1.6.3.3

Uint16The Uint16 format describes a Standard ModBus 16 bit register.

Section 1.6.3.4

Uint32The Uint32 format describes Standard 2 ModBus 16 bit registers. The first register holds the most significant 16bits of a 32 bit value. The second register holds the least significant 16 bits of a 32 bit value.

Section 1.6.3.5

PortCmdThe PortCmd format describes a bit layout per port, where 1 indicates the requested action is true, and 0indicates the requested action is false.

PortCmd provides a bit layout of a maximum of 32 ports. Therefore, it uses two ModBus regsiters:

• The first ModBus register corresponds to ports 1 – 16

• The second ModBus register corresponds to ports 17 – 32 for a particular action

Bits that do not apply to a particular product are always set to zero (0).

A bit value of 1 indicates that the requested action is true. For example, the port is up.

A bit value of 0 indicates that the requested action is false. For example, the port is down.

Reading Data Using PortCmdTo understand how to read data using PortCmd, consider a ModBus Request to read multiple registers fromlocatoin 0x03FE.

0x04 0x03 0xFE 0x00 0x02

The response depends on how many parts are available on the device. For example, if the maximum number ofports on a connected RUGGEDCOM device is 20, the response would be similar to the following:

0x04 0x04 0xF2 0x76 0x00 0x05



Alarm 21

In this example, bytes 3 and 4 refer to register 1 at location 0x03FE, and represent the status of ports 1 – 16.Bytes 5 and 6 refer to register 2 at location 0x03FF, and represent the status of ports 17 – 32. The device onlyhas 20 ports, so byte 6 contains the status for ports 17 – 20 starting from right to left. The rest of the bites inregister 2 corresponding to the non-existing ports 21 – 31 are zero (0).

Performing Write Actions Using PortCmdTo understand how data is written using PortCmd, consider a Write Multiple Register request to clear Ethernetport statistics:

0x10 0x00 0x83 0x00 0x01 2 0x55 0x76 0x00 0x50

A bit value of 1 clears Ethernet statistics on the corresponding port. A bit value of 0 does not clear the Ethernetstatistics.

0x10 0x00 0x81 0x00 0x02

Section 1.6.3.6

AlarmThe Alarm format is another form of text description. Alarm text corresponds to the alarm description from thetable holding all of the alarms. Similar to the Text format, this format returns an ASCII representation of alarms.

NOTEAlarms are stacked in the device in the sequence of their occurence (i.e. Alarm 1, Alarm 2, Alarm 3,etc.).

The first eight alarms from the stack can be returned, if they exist. A zero (0) value is returned if an alarm doesnot exist.

Section 1.6.3.7

PSStatusCmdThe PSStatusCmd format describes a bit layout for providing the status of available power supplies. Bits 0-4 ofthe lower byte of the register are used for this purpose.

• Bits 0-1: Power Supply 1 Status

• Bits 2-3: Power Supply 2 Status

Other bits in the register do not provide any system status information.

Bit Value Description

01 Power Supply not present (01 = 1)

10 Power Supply is functional (10 = 2)

11 Power Supply is not functional (11 = 3)

The values used for power supply status are derived from the RUGGEDCOM-specific SNMP MIB.

Reading the Power Supply Status from a Device Using PSStatusCmdTo understand how to read the power supply status from a device using PSStatusCmd, consider a ModBusRequest to read multiple registers from location 0x0043.



22 TruthValues

0x04 0x00 0x43 0x00 0x01


0x04 0x02 0x00 0x0A

The lower byte of the register displays the power supply's status. In this example, both power supplies in the unitare functional.

Section 1.6.3.8

TruthValuesThe Truthvalues format represents a true or false status in the device:

• 1 indicates the corresponding status for the device to be true

• 2 indicates the corresponding status for the device to be false

Reading the FailSafe Relay Status From a Device Using TruthValueTo understand how to use the TruthValue format to read the FailSafe Relay status from a device, consider aModBus request to read multiple registers from location 0x0044.

0x04 0x00 0x44 0x00 0x01


0x04 0x02 0x00 0x01

The register's lower byte shows the FailSafe Relay status. In this example, the FailSafe Relay is energized.

Reading the ErrorAlarm Status From a Device Using TruthValueTo understand how to use the TruthValue format to read the ErrorAlarm status from a device, conside a ModBusrequest to read mulitple registers from location 0x0045.

0x04 0x00 0x45 0x00 0x01


0x04 0x02 0x00 0x01

The register's lower byte shows the ErrorAlarm status. In this example, there is no active ERROR, ALERT orCRITICAL alarm in the device.

Section 1.7

Certificate and Key RequirementsUsers are able to load custom and unique SSL certificates and SSL/SSH keys in ROS or use the certificates andkeys provided by ROS.

There are three types of certificates and keys:

NOTEDefault and auto-generated SSH keys are not available for Non-Controlled (NC) versions of ROS.

• Default



Certificate and Key Requirements 23

Each ROS device is shipped with an SSL certificate and RSA key pair, and a DSA key pair for SSH that areunique to software version. If a valid SSL certificate or SSL/SSH keys are not available on the device, thedefault certificate and keys are used immediately so that SSH and SSL (https) sessions can be served.

• Auto-GeneratedIf a default SSL certificate and SSL/SSH keys are in use, ROS immediately begins to generate a uniquecertificate and SSL/SSH keys for the device in the background. This process takes approximately 5 minutesto complete (depending on how busy the device is at the time) following the startup of the device. If a customcertificate and keys are loaded while auto-generated certificates and keys are being generated, the generatorwill abort and the custom certificate and keys and will be used.

• User-Generated (Recommended)Custom certificates and keys are the most secure option. They give the user complete control over certificateand key management, allow for certificates signed by a public or local certificate authority, controlleddistribution of public SSH keys to network hosts that need them, and more.

NOTEThe RSA key pair must be added to the ssl.crt file after the SSL certificate.

For SSL, ROS requires an X.509 certificate in standard PEM format and an RSA key pair. The certificate maybe self-signed or signed by a separate authoriy. The RSA key must be between 512 and 2048 bits in length. Thecertificate and keys must be combined in a single ssl.crt file and uploaded to the device.

The following is an example of a combined SSL certificate and key:

-----BEGIN CERTIFICATE-----MIIC9jCCAl+gAwIBAgIJAJh6rrehMt3iMA0GCSqGSIb3DQEBBQUAMIGuMQswCQYDVQQGEwJDQTEQMA4GA1UECBMHT250YXJpbzEQMA4GA1UEBxMHQ29uY29yZDESMBAGA1UEChMJUnVnZ2VkY29tMRkwFwYDVQQLExBDdXN0b21lciBTdXBwb3J0MSYwJAYDVQQDEx1XUy1NSUxBTkdPVkFOLlJVR0dFRENPTS5MT0NBTDEkMCIGCSqGSIb3DQEJARYVc3VwcG9ydEBydWdnZWRjb20uY29tMB4XDTEyMTAyMzIxMTA1M1oXDTE3MTAyMjIxMTA1M1owgZwxCzAJBgNVBAYTAlVTMRAwDgYDVQQIEwdPbnRhcmlvMRAwDgYDVQQHEwdDb25jb3JkMRIwEAYDVQQKEwlSdWdnZWRDb20xGTAXBgNVBAsTEEN1c3RvbWVyIFN1cHBvcnQxFDASBgNVBAMTCzE5Mi4xNjguMS4yMSQwIgYJKoZIhvcNAQkBFhVTdXBwb3J0QHJ1Z2dlZGNvbS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALfE4eh2aY+CE3W5a4Wz1Z1RGRP02COHt153wFFrU8/fFQXNhKlQirlAHbNTRSwcTR8ZFapivwYDivn0ogOGFXknYP90gv2oIaSVY08FqZkJW77g3kzkv/8Zrw3mW/cBsZJ8SyKLIDfy401HkHpDOle5NsQFSrziGUPjAOIvvx4rAgMBAAGjLDAqMAkGA1UdEwQCMAAwHQYDVR0OBBYEFER0utgQOifnrflnDtsqNcnvRB0XMA0GCSqGSIb3DQEBBQUAA4GBAHtBsNZuh8tB3kdqR7Pn+XidCsD70YnI7w0tiy9yiRRhARmVXH8h5Q1rOeHceri3JFFIOxIxQt4KgCUYJLu+c9Esk/nXQQar3zR7IQCt0qOABPkviiY8c3ibVbhJjLpR2vNW4xRAJ+HkNNtBOg1xUlp4vOmJ2syYZR+7XAy/OP/S-----END CERTIFICATE----------BEGIN RSA PRIVATE KEY-----MIICXAIBAAKBgQC3xOHodmmPghN1uWuFs9WdURkT9Ngjh7ded8BRa1PP3xUFzYSpUIq5QB2zU0UsHE0fGRWqYr8GA4r59KIDhhV5J2D/dIL9qCGklWNPBamZCVu+4N5M5L//Ga8N5lv3AbGSfEsiiyA38uNNR5B6QzpXuTbEBUq84hlD4wDiL78eKwIDAQABAoGBAI2CXHuHg23wuk9zAusoOhw0MN1/M1jYz0k9aajIvvdZT3Tyd29yCADy8GwAeUmoWXLS/C4CcBqPa9til8ei3rDn/w8dveVHsi9FXjtVSYqN+ilKw+moMAjZy4kN/kpdpHMohwv/909VWR1AZbr+YTxaG/++tKl5bqXnZl4wHF8xAkEA5vwut8USRg2/TndOt1e8ILEQNHvHQdQr2et/xNH4ZEo7mqot6skkCD1xmxA6XG64hR3BfxFSZcewWr4SOFGCtQJBAMurr5FYPJRFGzPM3HwcpAaaMIUtPwNyTtTjywlYcUI7iZVVfbdx4B7qOadPybTg7wqUrGVkPSzzQelz9YCSSV8CQFqpIsEYhbqfTLZEl83YjsuaE801xBivaWLIT0b2TvM2O7zSDOG5fv4I990v+mgrQRtmeXshVmEChtKnBcm7HH0CQE6B2WUfLArDMJ8hAoRczeU1nipXrIh5kWWCgQsTKmUrafdEQvdpT8ja5GpX2Rp98eaUNHfI0cP36JpCdome2eUCQDZN9OrTgPfeDIXzyOiUUwFlzS1idkUGL9nH86iuPnd7WVF3rV9Dse30sVEk63Yky8uKUy7yPUNWldG4U5vRKmY=-----END RSA PRIVATE KEY-----



24 Certificate and Key Requirements

For SSH, ROS requires a DSA key pair in PEM format. The DSA key must be between 512 and 2048 bits inlength for Controlled versions. The key file is uploaded to the ssh.keys flash file on the device.

The following is an example of a PEM formatted SSH key:

-----BEGIN DSA PRIVATE KEY-----MIIBuwIBAAKBgQD0gcGbXx/rrEMu2913UW4cYo1OlcbnuUz7OZyd2mBLDx/GYbD8X5TnRcMraJ0RuuGK+chqQJW5k3zQmZa/BS6q9U7wYwIAx8JSxxpwfPfl/t09VwKGrtSJIMpLRoDq3qEwEVyR4kDUo4LFQDsljtiyhcz1n6kd6gqsd5Xu1vdh4wIVANXbSBi97GmZ6/9f4UCvIIBtXLEjAoGAAfmhkcCCEnRJitUTiCE+MurxdFUr3mFs/d314cUDaLStQEhYYmx5dbFdQuapl4Y32B7lZQkohi5q1T1iUAa40/nUnJx1hFvblkYT8DLwxcuDAaiu0VqsaPtJ+baL2dYNp96tFisj/475PEEWBGbP6GSe5kKa1Zdgwuie9LyPb+ACgYBv856v5tb9UVG5+tX5Crfv/Nd8FFlSSFKmVWW3yzguhHajg2LQg8UUsm1/zPSwYQ0SbQ9aOAJnpLc2HUkK0lji/0oKVI7y9MMc4B+bGu4W4OnryP7oFpnpYYHt5PJY+zvLw/Wa+u3NOVFHkF1tGyfVBMXeV36nowPo+wrVMolAEgIVALLTnfpWmaV6uh6RxeE1d4XoxSg2-----END DSA PRIVATE KEY-----

For more information about encryption key management, refer to Section 1.2, “Security Recommendations andConsiderations”.


Chapter 2Using ROS

Connecting to ROS 25

Using ROSThis chapter describes how to use the ROS interface. It describes the following tasks:

• Section 2.1, “Connecting to ROS”

• Section 2.2, “Logging In”

• Section 2.3, “Logging Out”

• Section 2.4, “Using the Web Interface”

• Section 2.5, “Using the Console Interface”

• Section 2.6, “Using the Command Line Interface”

• Section 2.7, “Selecting Ports in ROS”

• Section 2.8, “Managing the Flash File System”

Section 2.1

Connecting to ROSThe following describes the various methods for connecting the device:

• Section 2.1.1, “Connecting Directly”

• Section 2.1.2, “Connecting via the Network”

Section 2.1.1

Connecting DirectlyROS can be accessed through a direct serial console or Ethernet connection for management andtroubleshooting purposes. A console connection provides access to the console interface and CLI.

To establish a serial connection to the device, do the following:

1. Connect a workstation (either a terminal or computer running terminal emulation software) to the RS232serial console port on the device. For more information about the RS232 serial console port, refer to theRP110 Installation Guide.

NOTEThe baud rate for the device is printed on the chassis exterior near the RS232 serial console port.

2. Configure the workstation as follows:

• Speed (baud): 57600

• Data Bits: 8

• Parity: None

• Flow Control: Off

Chapter 2Using ROS


26 Connecting via the Network

• Terminal ID: VT100

• Stop Bit: 1

3. Connect to the device. Once the connection is established, the login form appears. For more informationabout logging in to the device, refer to Section 2.2, “Logging In”.

Section 2.1.2

Connecting via the NetworkROS can be accessed over the network either through a Web browser, terminal or a workstation running terminalemulation software.

Using a Web BrowserWeb browsers provide a secure connection to the Web interface for ROS using the SSL (Secure Socket Layer)communication method. SSL encrypts traffic exchanged with its clients.

The ROS Web server guarantees that all communications with the client are private. If a client requests accessthrough an insecure HTTP port, the client is automatically rerouted to the secure port. Access to the Web serverthrough SSL will only be granted to clients that provide a valid user name and password.

To establish a connection through a Web browser, do the following:

1. On the workstation being used to access the device, configure an Ethernet port to use an IP address fallingwithin the subnet of the device. The default IP address is 192.168.0.1/24.

For example, to configure the device to connect to one of the available Ethernet ports, assign an IP addressto the Ethernet port on the workstation in the range of 192.168.0.3 to 192.168.0.254.

2. Open a Web browser. For a list of recommended Web browsers, refer to the section called “SystemRequirements”.

IMPORTANT!Upon connecting to the device, some Web browsers may report the Web server's certificatecannot be verified against any known certificates. This is expected behavior, and it is safe toinstruct the browser to accept the certificate. Once the certificate is accepted, all communicationswith the Web server through that browser will be secure.

3. In the address bar, type the IP address for the port that is connected to the network. For example, to accessthe device using its factory default IP address, type https://192.168.0.1 and press Enter. Once theconnection is established, the login screen for the Web interface appears.

For more information about logging in to the device, refer to Section 2.2, “Logging In”. For more informationabout the Web interface, refer to Section 2.4, “Usin